Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents


Tip
Public Resolvers:Several large organisations have announce DNS Privacy Servers - see DNS Privacy Public Resolvers
  • Quad9 (9.9.9.9) and Cloudflare (1.1.1.1) offer DNS-over-TLS on port 853
  • DOH servers are also currently listed on that page

Experimental DNS Privacy Recursive Servers

Button
TitleLive Monitoring Dashboard
URLhttps://dnsprivacy.org/jenkins/job/dnsprivacy-monitoring/

...

Button
TitleMap of server locations
URLhttps://dnsprivacy.org/wiki/display/DP/Map+of+test+server+locations


Background

The following servers are configured to support TLS on port 853 for testing purposesare experimental DNS-over-TLS servers.

Warning
Note that they are experimental offerings (mainly by individuals/small organisations) with no guarantees on the lifetime of the service, service level provided. The level of logging may also vary (see the individual websites where available) - the information here about logging has not been verified.Also note that the single SPKI pins published here for many of these servers are subject to change (e.g on Certificate renewal) and should be used with care!!
Tip

ANYCAST SERVICES:

  • Quad9 (9.9.9.9) and Cloudflare (1.1.1.1) offer DNS-over-TLS on port 853 - details below

Stubby

A YAML configuration file for Stubby containing a the details of these servers is provided with Stubby and and can be found here. This file enables only the subset of servers operated by the stubby/getdns developers by default, users can choose to enable any of the other servers by uncommenting the relevant section (occasionally the file lags this page).

**Note that the Yeti servers use a different root key for DNSSEC! See the Yeti project for more details

Test servers


Default servers in the Stubby config file (run by the Stubby developers)

Hosted byIP addressesTLS PortsHostname for TLS
authentication
Base 64 encoded form of SPKI pin(s) for TLS
authentication (RFC7858)
TLSA record publishedLoggingSoftwareNotes
1) The following are currently enabled in the default Stubby config file because they are run by the stubby/getdns developers and have no known issues.
Surfnet145.100.185.15
2001:610:1:40ba:145:100:185:15
853
443
dnsovertls.sinodun.com62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
YTraffic volume onlyHAProxy + BIND 9.12
Surfnet145.100.185.16
2001:610:1:40ba:145:100:185:16
853
443
dnsovertls1.sinodun.comcE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
YTraffic volume onlyNginx + BIND 9.12
getdnsapi.net185.49.141.37
2a04:b900:0:100::37
853getdnsapi.netfoxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S=

YTraffic volume onlyUnbound
2) Anycast services (with no/minimal logging)Quad9 'secure'

9.9.9.9
2620:fe::fe

853dns.quad9.netQuad9 do NOT publish or recommend use of SPKI pins with their servers.See https://quad9.net and their FAQ for details of privacy, logging and filtering policies on the main and alternative addresses(1). UDP and TCP service are also available on these addresses.
Quad9 'insecure'

9.9.9.10
2620:fe::10

853dns.quad9.netCloudflare

1.1.1.1 or 1.0.0.1
2606:4700:4700::1111 or 2606:4700:4007::1001

853cloudflare-dns.comCloudflare do NOT publish or recommend use of SPKI pins with their servers.

https://blog.cloudflare.com/announcing-1111/
https://blog.cloudflare.com/dns-resolver-1-1-1-1/
PRIVACY POLICY: https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/privacy-policy/

And also see https://labs.apnic.net/?p=1127 for details of the APNIC/Cloudflare agreement as mentioned on the Register.

UDP and TCP service are also available on these addresses. DNS-over-HTTPS is also available!

NOTE: To use this service by name only (i.e resolve the IP from the name) use 1dot1dot1dot1.cloudflare-dns.com.

3) Other servers with no/minimal logging

Other servers with a 'no logging' policy

Hosted byIP addressesTLS PortsHostname for TLS
authentication
Base 64 encoded form of SPKI pin(s) for TLS
authentication (RFC7858)
TLSA record publishedLoggingSoftwareNotes
UncensoredDNS89.233.43.71 
2a01:3a0:53:53::0
853unicast.censurfridns.dkwikE3jYAA6jQmXYTr/rbHeEPmC78dQwZbQp6WdrseEs=YTraffic volume only
See https://blog.uncensoreddns.org/
Surfnet145.100.185.18
2001:610:1:40ba:145:100:185:18
853dnsovertls3.sinodun.com5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8=YTraffic volume onlyHAProxy + BIND 9.12Supports TLS 1.3 and TLS 1.2. We think our stability problems are solved... see here for details. NOTE: This is using OpenSSL master branch, commit 3e524bf. This is using TLS 1.3 draft-23 revision - you may experience interop problems if your client is using an earlier draft implementation.
Surfnet145.100.185.17
2001:610:1:40ba:145:100:185:17
853dnsovertls2.sinodun.comNAXBESvpjZMnPWQcrxa2KFIkHV/pDEIjRkA3hLWogSg=YTraffic volume onlyKnot ResolverHas some issues with DNSSEC responses - this is under investigation.
dkg199.58.81.218
2001:470:1c:76d::53
853 443
53053dns.cmrg.net3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=
5zFN3smRPuHIlM/8L+hANt99LW26T97RFHqHv90awjo=

NoneKnot ResolverSee https://dns.cmrg.net/ Note that on port 443 this server can serve both HTTP 1.1 traffic (to securely access the nameserver credentials) on TLS connections and DNS-over-TLS on separate TLS connections due to some nifty, experimental demultiplexing of traffic, described here.
Has some issues with DNSSEC responses - this is under investigation.
dns.larsdebruin.net (Previously dns1.darkmoon.is)51.15.70.167853UPDATED on 30 Jan 2018
dns.larsdebruin.net
UPDATED on 30 Jan 2018 AAT+rHoKx5wQkWhxlfrIybFocBu3RBrPD2/ySwIwmvA=
Traffic volume onlyUnbound
securedns.eu146.185.167.43
2a03:b0c0:0:1010::e9a:3001
853securedns.eu2EfbwDyk2zSnAbBJSpCSWZKKGUD+a6p/yg2bxdC+x2A=
NoneHaProxy + BindUPDATED 2nd May 2018:
THIS SERVER WILL BE RETIRED IN THE VERY NEAR FUTURE. USE dot.secure.eu INSTEAD!!
NOTE: SecureDNS has support for additional TLDs of OpenNIC, Emercoin, and Namecoin
securedns.eu146.185.167.43
2a03:b0c0:0:1010::e9a:3001
853dot.securedns.euh3mufC43MEqRD6uE4lz6gAgULZ5/riqH/E+U+jE3H8g=
NoneHaProxy + BindNOTE 1: SecureDNS has support for additional TLDs of OpenNIC, Emercoin, and
NamecoinNOTE
NamecoinNOTE 2: While both secure.eu and dot.secure.eu are running pin only validation for dot.secure.eu will not work!
dns-tls.bitwiseshift.net81.187.221.24
2001:8b0:24:24::24
853dns-tls.bitwiseshift.netYmcYWZU5dd2EoblZHNf1jTUPVS+uK3280YYCdz4l4wo=
NoneUnbound
ns1.dnsprivacy.at94.130.110.185
2a01:4f8:c0c:3c03::2
853ns1.dnsprivacy.atvqVQ9TcoR9RDY3TpO0MTXw1YQLjF44zdN3/4PkLwtEY=
NoneUnboundSee https://dnsprivacy.at/
ns2.dnsprivacy.at94.130.110.178
2a01:4f8:c0c:3bfc::2
853ns2.dnsprivacy.ats5Em89o0kigwfBF1gcXWd8zlATSWVXsJ6ecZfmBDTKg=
NoneUnbound
dns.bitgeek.in (India)139.59.51.46853dns.bitgeek.inFndaG4ezEBQs4k0Ya3xt3z4BjFEyQHd7B75nRyP1nTs=
Traffic volume onlyNginx + BIND
Lorraine Data Network80.67.188.188
2001:913::8
853
443

WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM=
Traffic volume onlystunnel 4 + BINDSee https://ldn-fai.net/serveur-dns-recursif-ouvert/ (note, logging of IP address at stunnel no longer performed).
A self-signed certificate is used, so SPKI pinning is must be used.
dns.neutopia.org89.234.186.112
2a00:5884:8209::2
853
443
dns.neutopia.orgwTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI=
No loggingKnot resolver
4)

Servers with

...

minimal logging/limitations

These servers use some logging, self-signed certs or no support for Strict mode.

Hosted byIP addressesTLS PortsHostname for TLS
authentication
Base 64 encoded form of SPKI pin(s) for TLS
authentication (RFC7858)
TLSA record publishedLoggingSoftwareNotes
Go6Lab2001:67c:27e4::35853privacydns.go6lab.sig5lqtwHia/plKqWU/Fe2Woh4+7MO3d0JYqYJpj/iYAw=
UnknownUnbound
NIC Chile
dnsotls.lab.nic.cl
200.1.123.46
2001:1398:1:0:200:1:123:46
853
sG6kj+XJToXwt1M6+9BeCz1SOj/1/mdZn56OZvCyZZc=YYes, for research purposesUnboundSelf-signed certificate, use SPKI pinning.
Yeti2001:4b98:dc2:43:216:3eff:fea9:41a853dns-resolver.yeti.eu.orgUPDATED on 26th Jun 2017
YxtXAorQNSo+333ko1ctuXcnpMcplPaOI/GCM+YeMQk=

Yes, see Yeti websiteUnboundSee https://dns-resolver.yeti.eu.org/
OARC184.105.193.78
2620:ff:c000:0:1::64:25
853tls-dns-u.odvr.dns-oarc.netpOXrpUt9kgPgbWxBFFcBTbRH2heo2wHwXp1fd4AEVXI=
Yes, see OARC websiteUnboundSee OARC website NOTE: As of June 2017 this server does not support Strict Mode because it does not offer the correct cipher suites to match RFC7525 recommendations
.

...

.

...